Agreement on personal data processing

The Processor undertakes to process personal data for the controller in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), and under the following conditions:

1. INTRODUCTORY PROVISIONS

1.1 For the purposes of this Agreement, the processor shall be Brands360 Sp Zoo., with its registered office at OS Stare Zegrze 10/11, VAT No.: PL7831711836, entered in the Commercial Register maintained by the Regional Court in Poznan, Poland.
1.2 For the purposes of this Agreement, the controller shall be the registered user of the www.brands360.biz portal and associated applications (hereinafter “portal”) which alone or jointly with others determines the purposes and means of the processing of personal data of its contracting partners entered or imported into the portal.
1.3 The processor shall perform activities for the controller that are further described in the current version of the Terms and Conditions (hereinafter “Terms and Conditions”).
1.4 For the purposes of this Agreement, personal data shall mean any information related to the controller’s con¬tracting partners that is protected under the relevant legislation.

2. SUBJECT AND PURPOSE OF AGREEMENT

2.1 The subject of processing under this Agreement is the personal data listed below.
2.2 The purpose of this Agreement is the controller’s au-thorisation provided to the processor, enabling the provider to process the above-mentioned personal data and the regulation of mutual rights and obligations of the controller and the processor arising from the legislation for the protection of personal data, particularly from Regulation (EU) 2016/679 of the European Parliament and of the Council, when providing services according to the processor’s Terms and Conditions.

3. NATURE AND SCOPE OF PROCESSING, CATEGORIES OF DATA SUBJECTS AND DATA TYPES

3.1 The Processor is entitled and undertakes to process personal data under this Agreement, exclusively for the purpose and in accordance with the Terms and Conditions and this Agreement. The data will be processed electronically.
3.2 The controller, hereby, instructs and authorises the processor to process personal data to the extent and in the manner specified in this Agreement.
3.3 The Processor shall process, for the controller, personal data related to controller’s con¬tracting partners that the controller enters or imports in the portal. The controller shall be exclusively liable for personal data entered or imported into the portal as the processor is not able to influence the type of personal data provided.
3.4 In relation to the above-mentioned categories of data subjects, the processor shall process the following types of data for the controller:
Identification data: first name, surname, date of birth, age
Contact details: phone number, e-mail address, mailing address
Other data: web URL, gender, degree, billing details, photo, location data.
3.5 The processor is entitled to process other personal data to a minimum extent that is necessary to conduct business in accordance with the Terms and Conditions or to fulfil obligations imposed by legal regulations.

4. PROCESSOR’S RIGHTS AND OBLIGATIONS

4.1 The processor warrants the controller that when processing personal data, such technical and organisational measures are taken to ensure the compliance with all principles of personal data processing stipulated by applicable legal regulations. For this purpose, the processor shall:
a. minimise the number of persons who have access to personal data (individual types of personal data can only be accessed by certain persons with a specific user authorisation and data carriers are stored in secured areas);
b. train its employees;
c. examine the compliance with the employees’ obligations arising from the legislation for the protection of personal data and organisational measures of the processor; d. follow its internal guidelines when processing personal data; and
e. take such technical measures to protect personal data that corresponds to the risk to the data subject’s rights, taking into account the state-of-the-art, the cost of implementation and the nature, scope, context and purposes of processing, and regularly test and check these measures.
4.2 The processor undertakes to:
a. provide the controller with information necessary to demonstrate compliance with obligations under the law and information about the level of security of personal data at the controller’s re¬quest;
b. if agreed by the controller and the processor, provide the controller with assistance when:
o fulfilling the controller’s o¬bligations, arising from potential requests from data subjects to exercise their rights under the legislation for the protection of personal data;
o reporting personal data breaches to the supervisory authority or the data subject; or o fulfilling the controller’s in¬formation obligation.
4.3 The processor is obliged to:
a. protect personal data, as well as carriers containing such data against misuse;
b. prevent accidental or unlawful destruction, loss and alteration of and unauthorised access to personal data and carriers containing the data;
c. ensure that personal data is processed only by persons that have undertaken the confidentiality obligation or that are bound by the confidentiality obligation under the law; or
d. process personal data for a purpose other than those stipulated by this Agreement only with prior consent from the controller or after obtaining consent from data subjects. 4.4 The processor is entitled to:
a. authorise another processor to process personal data only under the conditions specified in Art. 6 of this Agreement; and
b. refuse to follow a controller’s in¬structions if these instructions are contrary to the legislation for the protection of personal data. The processor shall notify the controller of said contradiction with applicable legal regulations.

5. CONTROLLER’S RIG¬HTS AND OBLIGATIONS

5.1 The controller declares that they are the controller of personal data under the applicable legal regulations, i.e. the person determining the purpose and means of personal data processing.
5.2 The controller shall:
a. ensure that personal data is obtained and processed in accordance with applicable legal regulations;
b. fulfil the information obligation towards data subjects arising from applicable legal regulations;
c. provide the processor or ensure that the processor is provided with personal data that is accurate, up-to-date and corresponds with the performance under the Terms and Conditions; and
d. provide the processor with personal data in a timely manner and with the assistance necessary for the performance under this Agreement.
5.3 When processing personal data, the controller shall take technical and organisational measures to ensure the compliance with all principles of personal data processing stipulated by applicable legal regulations. For this purpose, the controller shall:
a. minimise the scope of personal data processed;
b. minimise the number of persons with access to personal data; and
c. take said technical measures to protect personal data that corresponds to the risk to the data subject’s rights, taking into account the state-of-the-art, the cost of implementation and the nature, scope, context and purposes of processing.

6. FURTHER PROCESSING

6.1 The controller, hereby, grants the processor consent to the authorisation of another processor to process personal data if it is necessary for the provision of the service agreed in the Terms and Conditions.
6.2 The processor is explicitly entitled to disclose personal data for the above purpose, in particular to mobile operators, SMS aggregators and other providers of telecommunication services.
6.3 The controller, hereby, grants the processor its explicit consent to the transfer of personal data to third countries for the purpose of performance under the Terms and Conditions.

7. DURATION OF PROCESSING

7.1 The duration of personal data processing corresponds to the duration of the service provision under the Terms and Conditions agreed between the controller and the processor.
7.2 After the termination of the contractual relationship, the processor is entitled to process personal data to the extent and in the manner specified in the Terms and Conditions.

8. FINAL PROVISIONS

8.1 This Agreement and rights and obligations arising from the Agreement shall be governed by the laws of the Czech Republic.
8.2 This Agreement shall become valid and effective upon checking the box “I agree with the Agreement on personal data processing” by the controller when registering in the portal and upon successfully completing the registration in the portal.